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Abstract 

In this note, we present a complete characterization of the utility metrics that allow for 
non-trivial differential privacy guarantees. 
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1 Introduction 



The field of data privacy is, at its heart, the study of tradeoffs between utility and privacy. The 
theoretical computer science community has embraced a strong and compelling definition of privacy 
- differential privacy [21 [3] — but utility definitions, quite naturally, depend on the application 
at hand. For a given function /, can we achieve arbitrarily close to perfect utility by relaxing the 
privacy parameter sufficiently? We show that this question has a satisfyingly simple answer: yes, if 
and only if the image of / has compact completion. Furthermore, in this case there exists a single 
base measure [i such that conventional exponential mechanisms based on \x are capable of achieving 
arbitrarily good utility. 

2 Definitions 

We are given two metric spaces (X, p) and (Y, a) and a continuous function / : X — > Y. We think 
of the input database as being an element x € X, and our goal is to disclose an approximation 
to the value of f{x) while preserving privacy. To allow for a cleaner exposition, we will assume 
throughout this paper that / has Lipschitz constant 1, i.e. a(f(x),f(z)) < p(x,z) for all x,z € X. 
All of our results generalize to arbitrary Lipschitz continuous functions, an issue that we return to 
in Remark 12.41 

Definition 2.1. A mechanism is a function A4 : X — > A(Y), where A(Y) denotes the set of all 
Borel probability measures on Y. For a point x € X, we will often denote the probability measure 
A4(x) using the alternate notation A4 X . 

Definition 2.2. For e > 0, we say that a mechanism A4 achieves e- differential privacy if the 
following relation holds for every x, z € X and every Borel set T C Y: 

M X {T) < e £p(x ' z) M z (T)E (1) 

For 7, 6 > 0, we say that KA achieves *y -utility with probability at least 1 — 5 if the following relation 
holds for every ifl: 

M x {B a (J(x),i))>\-8. (2) 
We abbreviate this relation by saying that A4 achieves (7, <5)-utility. 

Definition 2.3. Given a function / : X — > Y, the privacy-utility tradeoff of / is the function 
e*(7,<5) = infje > | 3 a mechanism KA satisfying e-differential privacy and (7, <5)-utility}, 
where the right side is interpreted as 00 if the set in question is empty. 

Remark 2.4. In prior work on differential privacy, it is more customary to express differential 
privacy guarantees in terms of an adjacency relation on inputs, rather than a metric space on the 
inputs. In this framework, the sensitivity of / (the maximum of \f(a) — f(b)\ over all adjacent 
pairs a, b) plays a pivotal role in determining the privacy achieved by a mechanism. The Lipschitz 
constant of / plays the equivalent role in our setting. 

A number of results in the literature, including recent work of Roth and Roughgarden [6] on mechanisms for 
predicate queries, achieve only a weakened definition of privacy known as (e, <5)-differential privacy; such results do 
not fit in the framework presented here. 
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One could of course equate the two frameworks by denning the privacy metric p to be the 
shortest-path metric in the graph defined by the adjacency relation. This would equate the Lip- 
schitz constant of / with its sensitivity. However, it is much more convenient to describe our 
mechanisms and their analysis under the assumption that / has Lipschitz constant 1; for any Lips- 
chitz continuous / this can trivially be achieved by rescaling both p and the corresponding privacy 
bound by C, the Lipschitz constant of /. 

Thus, for example, if one is given a function / and wishes to know whether there exists a 
mechanism achieving e-differential privacy and (7, <5)-utility, the answer is yes if and only if e/e*{^y, 5) 
is greater than the Lipschitz constant (i.e., sensitivity) of /. In cases where the sensitivity Af 
depends on the number of points in an input database, N, the relation e/e*('y/5) > Af can be used 
to solve for N in terms of the parameters e, 7, 6. For example, in many papers (e.g. pQ) Af = 1/N 
and then we find that N = e*(7, S)/e is the minimum number of points in the input database 
necessary to achieve e-differential privacy and (7, <5)-utility. 

Remark 2.5. Our definition of utility captures many prior formulations. For setings where the 
output space is simply R, the traditional utility metric reflecting the difference between the given 
answer and the true answer is easily captured in our framework. A variety of prior work on 
problems involving more complex outputs can also be cast as measuring utility in a metric space. 
For example, Blum et al. Q] propose utility with respect to a concept class T~L, and define the utility 
of a candidate output database y on an input x as maxheu \ h(x) — h(y)\. This setup can be viewed 
as mapping input databases x to vectors (h\(x),h,2{x), . . .) and taking the utility metric a to be 
the L°° metric on output vectors. Hardt and Talwar [3] use L 2 as their utility metric, but whereas 
they compute the mean square (or p-th moment) of its distribution, we define disutility to be the 
probability that the a value exceeds 7. 

Definition 2.6. Given a measure p on X, and a scalar (3 > 0, the (conventional) exponential 
mechanism is given by the formula: 

f P -P<r(f(x),y) fjijfy) 

[ ' f Y e-Wf(*)>y)dp( y y { ) 

provided that the denominator is finite. Otherwise Cx 13 is undefined^ 

The differential privacy guarantee for exponential mechanisms is given by the following theorem, 
whose proof parallels the original proof of McSherry and Talwar [5] and is given in the Appendix. 

Theorem 2.7. If f has Lipschitz constant C then the conventional exponential mechanism is 
(2C '/?) -differentially private for every p. 



3 A topological criterion for privacy-compatibility 

A surprising result of Blum et al. [1] shows that, in the natural setting of one-dimensional range 
queries over continuous domains, no mechanism can simultaneously achieve non-trivial privacy 
and utility guarantees. What is it about this application that makes privacy fundamentally im- 
possible? In this section, we introduce a definition of privacy- compatibility and give a complete 
characterization of the applications that satisfy this definition. 

Definition 3.1. We say that / is privacy- compatible if e*(7, 5) < 00 for all 7, 5 > 0. 

2 We use the word "conventional" here to refer to the rich subclass of exponential mechanisms whose score function 
is a; however, not all exponential mechanisms fall in this class. 
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Suppose that / is Lipschitz continuous and that the metric space (X, p) is bounded. We 
now prove that / is privacy-compatible if and only if the completion of the metric space /(X) 
is compact. Observe that rescaling the metrics p, a does not affect the question of whether / is 
privacy-compatible nor whether /(X) has compact completion, but it does rescale the Lipschitz 
constant of / and the diameter of X. Accordingly, we may assume without loss of generality that 
the Lipschitz constant of / and the diameter of X are both bounded above by 1, i.e. 

a(f(x 1 ),f(x 2 ))<p(x 1 ,x 2 )<l (4) 

for all xi,x 2 £ X. 

Definition 3.2. A probability measure p on a metric space (X, a) is uniformly positive if it is the 
case that for all r > 0, 

inf p(B a (x,r)) > 0. 

x&X 

Example 3.3. The uniform measure on [0, 1] is uniformly positive. The Gaussian measure on M 
is not uniformly positive because one can find intervals of width 2r with arbitrarily small measure 
by taking the center of the interval to be sufficiently far from 0. 

Theorem 3.4. If the Lipschitz constant of f and the diameter of X are both bounded above by 1, 
then the following are equivalent: 

1. f is privacy -compatible; 

2. For every 7, 5 > 0, there is a conventional exponential mechanism that achieves (7, 5) -utility; 

3. There exists a uniformly positive measure on (f(X.),a); 
4- The completion o/(/(X),cr) is compact. 



Proof. For simplicity, throughout the proof we assume without loss of generality that Y = /(X). 
The notation B(y,r) denotes the ball of radius r around y in the metric space (Y,<r). 

(E]) =^ (DQ) The exponential mechanism achieves (2/3)-differential privacy. 

(j3|) ([2]) For p a uniformly positive measure on (Y, <r), and 7, 5 > 0, let m = inf yg Y l^(B{y, 7/2)) 
and let (3 = ^ In (3^) • We claim that the exponential mechanism A4 = Ai^ 1 ' 13 achieves (7, <5)-utility. 
To see this, let a; € X be an arbitrary point, let z = f(x), and let 

e -^y)dp{y) b= [ e-^ y) dp{y). 

We have 

a > f e -P°(*>y) dp{y) > [ e~^ /2 dp{y) = e -^ /2 p(B(z, 7 /2)) > e~^l 2 m 

JB{z,-y/2) JB(z,i/2) 



b< j e~^dp{y) = e 
Hence, for every x 6 X, 



M x (B(f(x),<y)) = —r = 1 - — -r > 1 



b erft 



a + b a + b e-^/ 2 m e^/ 2 
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© =>• ([3]) We use the following fact from the topology of metric spaces: a complete metric space 
is compact if and only, for every r, if it has a finite covering by balls of radius r. (See Theorem IA.2I 
in the Appendix.) For i = 1, 2, . . . , let Cj = {2/1,1, . . . , Vi^ n (i)} be a finite set of points such that 
the balls of radius 2~ % centered at the points of Cj cover Y. Now define a probability measure \x 
supported on the countable set C = U^Cj, by specifying that for y G C, fi(y) = Yli-yed ( 2^7(7)) ■ 
Equivalently, one can describe \x by saying that a procedure for randomly sampling from fj, is to 
flip a fair coin until heads comes up, let i be the number of coin flips, and sample a point of Cj 
uniformly at random. We claim that fi is uniformly positive. To see this, given any r > let 
i = [log 2 (l/T)], so that 2~ % < r. For any point y € Y, there exists some j (1 < j < n(i)) such that 
y £ B(yij,2~ l ). This implies that B(y,r) contains y itj , hence fi(B(y,r)) > fJ.(jJi,j) > ^Tj- Tnc 
right side depends only on r (and not on y), hence inf ye Y fi(B(y, r)) is strictly positive, as desired. 

(HD © We prove the contrapositive. Suppose that the completion of Y is not compact. Once 
again using point-set topology (Theorem \A.2\i this implies that there exists an infinite collection of 
pairwise disjoint balls of radius r, for some r > 0. Let yi,y2, , ■ ■ ■ , be the centers of these balls. By 
our assumption that Y = /(X), we may choose points xi such that yi = f(xi) for all i > 1. Suppose 
we are given a mechanism Ad that achieves r-utility with probability at least 1/2. For every a > 
we must show that A4 does not achieve a-differential privacy. The relation Yl"S=i -Msi (B(yt, r)) < 1 
implies that there exists some i such that 

M Xl (B( yi ,r))<e- a /2. (5) 

The fact that KA achieves r-utility with probability at least 1/2 implies that 

M Xl (B(y h r)) > 1/2. (6) 

Combining ([5]) with (|6|) leads to 

M Xi {B{y h r)) > e a M Xl (B(y h r)) > e a ^ x ^M Xl (B(y h r)), (7) 

hence A4 violates a-differential privacy. □ 
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A Appendix 

Lemma A.l. If f : X — > Y has Lipschitz constant 1, then the conventional exponential mechanism 
JVi^'P achieves (2/3) -differential privacy. 

Proof. The proof follows the original proof of McSherry and Talwar [S]. The triangle inequality 
implies that for any x, z 



The inequality M X {T) < e 2f3 ^ x ^M z {T) follows upon taking the quotient of these two inequalities. 



Theorem A. 2. For a metric space (X, a), the following are equivalent: 

1. The completion o/X is a compact topological space. 

2. For every r > 0, X can be covered by a finite collection of balls of radius r. 

3. For every r > 0, X does not contain an infinite collection of pairwise disjoint balls of radius 



Proof. ([2]) =4> (pQ) Assume that property ([2]) holds. Recall that a metric space is compact if and 
only if every infinite sequence of points has a convergent subsequence, and it is complete if and only 
if every Cauchy sequence is convergent. Thus, we must prove that every infinite sequence xi, X2, ■ ■ ■ 
in X has a Cauchy subsequence. We can use a pigeonhole-principle argument to construct the 
Cauchy subsequence. In fact, the construction will yield a sequence of points zi,Z2,... and sets 
51,52,... such that the diameter of is at most 1/k and Z{ G for all i > k; these two properties 
immediately imply that z\, Z2, . ■ . is a Cauchy sequence as desired. 

The construction begins by defining Sq = X. Now, for any k > 0, assume inductively that 
we have a set S^-i such that the relation x% € Sk-x is satisfied by infinitely many i. Let 
Bi, -E?2, ■ ■ • , -E?n(fc) be a finite collection of balls of radius ^ that covers X. There must be at 
least one value of j such that the relation Xi € Sfc_i PI Bj is satisfied by infinitely many i. Let 
<Sfc = Sfc-i n Bj and let zj- be any point in the sequence x\,X2, ■ ■ ■ that belongs to Sk and occurs 
strictly later in the sequence than z^-i- This completes the construction of the Cauchy subsequence 
and establishes that the completion of X is compact. 

(HD =^ d3D If X contains an infinite collection of pairwise disjoint balls of radius r, then the 
centers of these balls form an infinite set with no limit point in X, violating compactness. 

d3D => ([2]) Given r > 0, let B(x\,r /2), . . . , B(x n ,r/2) be a maximal collection of disjoint balls 
of radius r/2. (Such a collection must be finite, by property ([3]).) The balls B(x\,r), . . . , B(x n ,r) 




□ 



r. 
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cover X, because if there were a point y € X not covered by these balls, then B(y,r/2) would be 
disjoint from B(xi,r/2) for i = 1, . . . , n, contradicting the maximality of the collection. □ 
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